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REC 8890 
The Internet is for End Users 


Abstract 


This document explains why the IAB believes that, when there is a conflict between the interests 
of end users of the Internet and other parties, IETF decisions should favor end users. It also 
explores how the IETF can more effectively achieve this. 


Status of This Memo 


This document is not an Internet Standards Track specification; it is published for informational 
purposes. 


This document is a product of the Internet Architecture Board (IAB) and represents information 
that the IAB has deemed valuable to provide for permanent record. It represents the consensus 
of the Internet Architecture Board (IAB). Documents approved for publication by the IAB are not 
candidates for any level of Internet Standard; see Section 2 of RFC 7841. 


Information about the current status of this document, any errata, and how to provide feedback 
on it may be obtained at https://www.rfc-editor.org/info/rfc8890. 


Copyright Notice 


Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights 
reserved. 


This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF 
Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this 
document. Please review these documents carefully, as they describe your rights and restrictions 
with respect to this document. 
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1. Introduction 


Many who participate in the IETF are most comfortable making what we believe to be purely 
technical decisions; our process favors technical merit through our well-known mantra of "rough 
consensus and running code." 


Nevertheless, the running code that results from our process (when things work well) inevitably 
has an impact beyond technical considerations, because the underlying decisions afford some 
uses while discouraging others. While we believe we are making only technical decisions, in 
reality, we are defining (in some degree) what is possible on the Internet itself. 


This impact has become significant. As the Internet increasingly mediates essential functions in 
societies, it has unavoidably become profoundly political; it has helped people overthrow 
governments, revolutionize social orders, swing elections, control populations, collect data about 
individuals, and reveal secrets. It has created wealth for some individuals and companies while 
destroying that of others. 
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All of this raises the question: For whom do we go through the pain of gathering rough consensus 
and writing running code? 


After all, there are a variety of parties that standards can benefit, such as (but not limited to) end 
users, network operators, schools, equipment vendors, specification authors, specification 
implementers, content owners, governments, nongovernmental organizations, social 
movements, employers, and parents. 


Successful specifications will provide some benefit to all the relevant parties because standards 
do not represent a zero-sum game. However, there are sometimes situations where there is a 
conflict between the needs of two (or more) parties. 


In these situations, when one of those parties is an "end user" of the Internet -- for example, a 
person using a web browser, mail client, or another agent that connects to the Internet -- the 
Internet Architecture Board argues that the IETF should favor their interests over those of other 
parties. 


Section 2 explains what is meant by "end users", Section 3 outlines why IETF work should 
prioritize them, and Section 4 describes how we can do that. 


2. Who Are "End Users"? 


In this document, "end users" means human users whose activities IETF standards support, 
sometimes indirectly. Thus, the end user of a protocol to manage routers is not a router 
administrator; it is the people using the network that the router operates within. 


End users are not necessarily a homogenous group; they might have different views of how the 
Internet should work and might occupy several roles, such as a seller, buyer, publisher, reader, 
service provider, and consumer. An end user might browse the Web, monitor remote equipment, 
play a game, videoconference with colleagues, send messages to friends, or perform an operation 
in a remote surgery theater. They might be "at the keyboard" or represented by software 
indirectly (e.g., as a daemon). 


Likewise, an individual end user might have many interests (e.g., privacy, security, flexibility, 
reachability) that are sometimes in tension. 


A person whose interests we need to consider might not directly be using a specific system 
connected to the Internet. For example, if a child is using a browser, the interests of that child's 
parents or guardians may be relevant. A person pictured in a photograph may have an interest 
in systems that process that photograph; a person entering a room with sensors that send data to 
the Internet may have interests that may be involved in our deliberations about how those 
sensor readings are handled. 


While such less-direct interactions between people and the Internet may be harder to evaluate, 
this document's concept of "end user" nonetheless includes such people. 
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3. Why the IETF Should Prioritize End Users 


Even before the IETF was established, the Internet technical community has focused on user 
needs since at least [RFC0001], which stated that "One of our goals must be to stimulate the 
immediate and easy use by a wide class of users." 


And, while we specialize in technical matters, the IETF is not neutral about the purpose of its 
work in developing the Internet; in "A Mission Statement for the IETF" [RFC3935], the definitions 
include: 


The IETF community wants the Internet to succeed because we believe that the 
existence of the Internet, and its influence on economics, communication, and 
education, will help us to build a better human society. 


Later, in "The Scope of the Internet" (Section 4.1 of [RFC3935]), it says: 


The Internet isn't value-neutral, and neither is the IETF. We want the Internet to be 
useful for communities that share our commitment to openness and fairness. We 
embrace technical concepts such as decentralized control, edge-user empowerment and 
sharing of resources, because those concepts resonate with the core values of the IETF 
community. These concepts have little to do with the technology that's possible, and 
much to do with the technology that we choose to create. 


In other words, the IETF develops and maintains the Internet to promote the social good. The 
society that the IETF is attempting to enhance is composed of end users, along with groups of 
them forming businesses, governments, clubs, civil society organizations, and other institutions. 


Merely advancing the measurable success of the Internet (e.g., deployment size, bandwidth, 
latency, number of users) is not an adequate goal; doing so ignores how technology is so often 
used as a lever to assert power over users, rather than empower them. 


Beyond fulfilling the IETF's mission, prioritizing end users can also help to ensure the long-term 
health of the Internet and the IETF's relevance to it. Perceptions of capture by vendors or other 
providers harm both; the IETF's work will (deservedly) lose end users' trust if it prioritizes (or is 
perceived to prioritize) others' interests over them. 


Ultimately, the Internet will succeed or fail based upon the actions of its end users, because they 
are the driving force behind its growth to date. Not prioritizing them jeopardizes the network 
effect that the Internet relies upon to provide so much value. 
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4. How the IETF Can Prioritize End Users 


There are a few ways that the IAB believes the IETF community can prioritize end users, based 
upon our observations. This is not a complete list. 


4.1. Engaging the Internet Community 


The IETF community does not have any unique insight into what is "good for end users", and it is 
not uncommon for us to be at a further disadvantage because of our close understanding of 
some -- but not all -- aspects of the Internet. 


At the same time, we have a culture of considerable deference to a broader "Internet 
community" -- roughly what this document calls end users -- in our decision-making processes. 
Mere deference, however, is not adequate; even with the best intentions, we cannot assume that 
our experiences of the Internet are those of all of its end users or that our decisions have a 
positive impact upon them. 


Therefore, we have not only a responsibility to analyze and consider the impacts of the IETF's 
work, but also a responsibility to consult with that greater Internet community. In particular, we 
should do so when one of our decisions has a potential impact upon end users. 


The IETF community faces significant hurdles in doing so. Our work is specialized and often 
esoteric, and processes for developing standards often involve very long timescales. Affected 
parties are rarely technical experts, and they often base their understanding of the Internet upon 
incomplete (and sometimes inaccurate) models. Often, even when we try to engage a broader 
audience, their participation is minimal -- until a change affects someone in a way they don't like. 
Surprising the Internet community is rarely a good outcome. 


Government-sponsored individuals sometimes participate in the IETF community. While this is 
welcome, it should not be taken as automatically representative of end users elsewhere, or even 
all end users in the relevant jurisdiction. Furthermore, what is desirable in one jurisdiction (or at 
least to its administrators) might be detrimental in others (see Section 4.4). 


While some civil society organizations specialize in technology and Internet policy, they rarely 
can participate broadly, nor are they necessarily representative of the larger Internet 
community. Nevertheless, their understanding of end-user needs is often profound, and they are 
in many ways the best-informed advocates for end-user concerns; they should be considered a 
primary channel for engaging the broader Internet community. 


A promising approach to help fill these gaps is to identify and engage with specifically affected 
communities when making decisions that might affect them, for example, one or more industry 
associations, user groups, or a set of individuals, though we can't formally ensure that they are 
appropriately representative. 
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In doing so, we should not require them to "come to us"; unless a stakeholder community is 
already engaged in the IETF process effectively, the IETF community should explore how to meet 
with them on their terms -- take the initiative to contact them, explain our work, and solicit their 
feedback. 


In particular, while IAB workshops, BOFs, and Bar BOFs can be an effective mechanism to gather 
input within our community, they rarely have the visibility into other communities that is 
required to solicit input, much less effective participation. 


Instead, an event like a workshop may be more effective if co-located with -- and ideally hosted 
or co-hosted by -- a forum that's familiar to that stakeholder community. We should also raise the 
visibility of IETF work (or potential IETF work) in such fora through conference talks, panels, 
newsletter articles, etc. 


For example, the IAB ESCAPE workshop [RFC8752] solicited input from Internet publishers and 
advertisers about a proposal that might affect them. While the workshop was considered 
successful, participation might have been improved by identifying an appropriate industry 
forum and working with them to host the event. 


When we engage with the Internet community, we should also clearly identify tailored feedback 
mechanisms (e.g., subscribing to a mailing list may not be appropriate) and assure that they are 
well known in those communities. 


The Internet Society can be an invaluable partner in these efforts; their focus on the Internet 
community, policy expertise, and resources can help to facilitate discussions with the 
appropriate parties. 


Finally, we should remember that the RFC Series contains Requests For Comments; if there are 
serious implications of our work, we should document them and ask for feedback from the 
Internet community. 


4.2. Creating User-Focused Systems 


We should pay particular attention to the kinds of architectures we create and whether they 
encourage or discourage an Internet that works for end users. 


For example, one of the most successful Internet applications is the Web, which uses the HTTP 
application protocol. One of HTTP's key implementation roles is that of the web browser -- called 
the "user agent" in [RFC7230] and other specifications. 


User agents act as intermediaries between a service and the end user; rather than downloading 
an executable program from a service that has arbitrary access into the users' system, the user 
agent only allows limited access to display content and run code in a sandboxed environment. 
End users are diverse and the ability of a few user agents to represent individual interests 
properly is imperfect, but this arrangement is an improvement over the alternative -- the need to 
trust a website completely with all information on your system to browse it. 
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Defining the user agent role in standards also creates a virtuous cycle; it allows multiple 
implementations, allowing end users to switch between them with relatively low costs (although 
there are concerns about the complexity of the Web creating barriers to entry for new 
implementations). This creates an incentive for implementers to consider the users' needs 
carefully, which are often reflected into the defining standards. The resulting ecosystem has 
many remaining problems, but a distinguished user agent role provides an opportunity to 
improve it. 


In contrast, the Internet of Things (IoT) has not yet seen the broad adoption of a similar role; 
many current systems require opaque, vendor-specific software or hardware for the user-facing 
component. Perhaps as a result of this, that ecosystem and its end users face serious challenges. 


4.3. Identifying Negative End-User Impact 


At its best, our work will unambiguously build a better human society. Sometimes, we will 
consciously be neutral and open-ended, allowing the "tussle" among stakeholders to produce a 
range of results (see [TUSSLE] for further discussion). 


At the very least, however, we must examine our work for negative impact on end users and take 
steps to mitigate it where encountered. In particular, when we've identified a conflict between 
the interests of end users and other stakeholders, we should err on the side of protecting end 
users. 


Note that "negative impact on end users" is not defined in this document; that is something that 
the relevant body (e.g., working group) needs to discuss and come to consensus on. Merely 
asserting that something is harmful is not adequate. The converse is also true, though; it's not 
good practice to avoid identifying harms, nor is it acceptable to ignore them when brought to our 
attention. 


The IAB and IETF have already established a body of guidance for situations where this conflict 
is common, including (but not limited to) [RFC7754] on filtering, [RFC7258] and [RFC7624] on 
pervasive surveillance, [RFC7288] on host firewalls, and [RFC6973] regarding privacy 
considerations. 


Much of that advice has focused on maintaining the end-to-end properties of a connection 
[RFC3724]. This does not mean that our responsibility to end users stops there; decisions might 
affect them in other ways. For example, data collection by various applications even inside 
otherwise secure connections is a major problem on the Internet today. Also, inappropriate 
concentration of power on the Internet has become a concerning phenomenon -- one that 
protocol design might have some influence upon. 


4.4. Handling Conflicting End-User Needs 


When the needs of different end users conflict (for example, two sets of end users both have 
reasonable desires), we again should try to minimize negative impact. 


Nottingham Informational Page 7 


RFC 8890 The Internet is for End Users August 2020 


For example, when a decision improves the Internet for end users in one jurisdiction, but at the 
cost of potential harm to others elsewhere, that is not a good trade-off. As such, we design the 
Internet for the pessimal environment; if a user can be harmed, they probably will be, 
somewhere. 


There may be cases where genuine technical need requires compromise. However, such trade- 
offs are carefully examined and avoided when there are alternate means of achieving the 
desired goals. If they cannot be, these choices and reasoning ought to be thoroughly documented. 


4.5. Deprioritizing Internal Needs 


There are several needs that are very visible to us as specification authors but should explicitly 
not be prioritized over the needs of end users. 


These include convenience for document editors, IETF process matters, and "architectural 
purity" for its own sake. 


5. IANA Considerations 


This document has no IANA actions. 


6. Security Considerations 


This document does not have any direct security impact; however, failing to prioritize end users 
might well affect their security negatively in the long term. 
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